Don't Look Now! Google Glass Pwned By Lowly QR Code

Earlier this week, we wrote about how some features of Google Glass could be used as attack vectors. Well gentle reader, it has already come to pass: Lookout has announced that they have discovered a critical vulnerability in Google Glass. Thankfully, Google has already patched the issue.

Earlier this week, we wrote about how some features of Google Glass could be used as attack vectors. Well gentle reader, it has already come to pass: Lookout has announced that they have discovered a critical vulnerability in Google Glass. Thankfully, Google has already patched the issue.

Lookout's principal security analyst Marc Rogers told SecurityWatch that discovered a vulnerability in how the wearable computer processed QR codes. Because of Glass's limited user interface, Google set up the device's camera to automatically process any QR code in a photograph.

"On the face of it, it's a really exciting development," said Rogers. "But the issue is the moment Glass sees a command code it recognizes, it executes it." With this knowledge, Lookout was able to produce malicious QR codes that forced Glass to perform actions without the user's knowledge.

Glass-cast and Malicious Wi-Fi The first malicious QR code Lookout created would initiate a "Glass-cast" without the user's knowledge. For the uninitiated, Glass-casting shares whatever appears on the Google Glass screen to a paired Bluetooth device.

Rogers pointed out that this was, actually, a powerful feature. "If you look at the glass UI, it can only be worn by a single person," he explained. With Glass-cast, the wearer can share their view with other people. Lookout's malicious QR code, however, triggered a Glass-cast entirely without the user's knowledge.

While the idea of someone being able to view a screen so intimately positioned to your face is extremely disconcerting, the attack has some obvious limitations. First and foremost, an attacker would have to be near enough to receive the transmission via Bluetooth. What's more, an attacker would have to pair their Bluetooth device to your Google Glass, which would require physical access. Though Rogers points out doing so would not be difficult because Glass, "has no lockscreen and you can confirm [the pairing] just by tapping it."

More troubling was a second malicious QR code Lookout created, which forced Glass to connect to a designated Wi-Fi network as soon as it was scanned. "Without even realizing it, your Glass is connected to his access point and he can see your [web] traffic," said Rogers. He took the scenario one step further, saying that the attacker could, "respond with a web vulnerability, and at that point Glass gets hacked."

These are just examples, but the underlying issue is that Google never accounted for scenarios where users would unwittingly photograph a QR code. An attacker could simply post a malicious QR code in a popular tourist spot, or dress up the QR code as a tempting advertisement. Whatever the method of delivery, the result would be invisible to the user.

Google to the RescueOnce Lookout found the vulnerability, they reported it to Google who pushed out a fix within two weeks. "It's a good sign that Google is managing these vulnerabilities and treating them as a software problem," said Rogers. "They can put out the updates silently and fix vulnerabilities before users are even aware of the problem."

In the new version of the Glass software, you have to navigate to a relevant settings menu before a QR code can take effect. For instance, to use a QR code to connect to a Wi-Fi network, you must first be in the network settings menu. Glass will also now inform the user about what QR code does, and ask permission before executing it.

This new system presumes that you know what the QR code will do before you scan it, which apparently is what Google intended from the start. In addition to Glass, Google created a companion app for Android phones which creates QR codes so users can quickly configure their Glass devices. Google simply did not foresee QR codes as an avenue for attack.

In the FutureWhen I spoke with Rogers he was very optimistic about the future of Glass, and products like it. He said that the speed of Google's response and the ease with which the update was deployed was exemplary. However, I cannot help but look at the fractured Android ecosystem and worry that future devices and vulnerabilities may not be handled so deftly.

Rogers compared the issues with Glass to those found in medical equipment, which were discovered years ago but still haven't been fully addressed. "We cannot manage [Glass] like static hardware with firmware we never update," he said. "We need to be agile."

Despite his optimism, Rogers did have some words of caution. "New things mean new vulnerabilities," he said. "The bad guys adapt and try different things."

Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He's also PCMag's foremost authority on weather stations and digital scrapbooking software. When not polishing his tinfoil hat or plumbing the depths of the Dark Web, he can be found working to discern the 100 Best Android Apps.
Prior to PCMag, Max wrote for the International Digital Times, The International Science Times, and The Mary Sue. He has also been known to write for Geek.com. You can follow him on...
More »